Today’s cybercriminals are targeting identities, making use of phishing, vishing, and social engineering techniques. Gone are the days of easy-to-spot and low-effort phishing emails. Successful attacks now involve sophisticated methods that include impersonation of a trusted contact, such as a customer, vendor, partner, or even internal staff. In this newsletter we’ll explain how social engineering works and provide some tips on how to keep your organization safe.
If you’re not familiar with the term social engineering, it can briefly be defined as the use of psychological pressure to influence people to perform actions that harm them or divulge information that can then be used against them.
Most social engineering attacks follow one or more commonly used tactics:
Impersonation
A common form of social engineering is impersonation, where cybercriminals pose as a trusted contact. This could be a colleague in your organization or a representative from a vendor company you work with. An example would be receiving a call claiming to be from a vendor looking to confirm payment information. Since the attacker is spoofing a familiar brand, you may instinctively follow their instructions without questioning the nature of it.
Sophisticated attacks may even create fake web pages and email accounts that use established branding such as logos to appear legitimate.
Creating a Sense of Urgency
Social engineering attacks often aim to create a sense of urgency. Attackers know that people tend to make mistakes when scared or pressured. For example, an attacker may claim that an action is needed immediately such as approving a purchase to meet a deadline.
If an attacker is impersonating an authority figure such as your boss or law enforcement, they may threaten consequences if action isn’t taken swiftly. Try to keep this in mind when receiving unexpected emails or phone calls and remember to Stop, Look, and Think.
Appealing to Helpfulness and Curiosity
The reality is that being helpful and curious is just human nature. Cybercriminals know this and design attacks to exploit this behavior. An example would be someone messaging you on social media asking, “Is this you?” with an external link attached. Being curious, you may click the link and be asked to enter a password, unintentionally handing it over to the attacker.
Phishing and Vishing Defined
There are many attack types that cybercriminals use in social engineering attempts, but in this newsletter we will cover the two most common methods: phishing and vishing.
Phishing attacks are digital messages designed to manipulate the recipient into sharing sensitive information such as passwords, downloading malicious files, sending money, or taking some other damaging action. Phishing attempts are commonly seen in emails and often include malicious attachments or external links.
Vishing, or voice phishing, is a type of phishing attack that uses voice communication such as a phone call. Like traditional phishing attacks, cybercriminals will often impersonate a trusted contact or business or agency to manipulate the recipient. Because the communication is direct, attackers often create a strong sense of urgency.
How to Protect Yourself
Defenses against social engineering attacks are challenging because they rely on human psychology rather than technological weaknesses. Here are some tips to help protect yourself and your organization:
- If you receive an unexpected email or phone call, contact the supposed sender via a confirmed method. Use a known email address or phone number to verify the request.
- Implement security awareness training. Many users do not know how to identify social engineering attacks. Regular training helps staff stay informed about the latest tactics.
- Enforce strong security access policies. Multi-factor authentication, geo-blocking, and device compliance policies can reduce the effectiveness of cyber attacks.
Conclusion
As social engineering tactics continue to evolve, staying informed and vigilant is more important than ever. By recognizing common manipulation strategies such as impersonation, manufactured urgency, and appeals to curiosity or helpfulness, organizations can strengthen their human firewall and reduce the risk of attacks.
Remember to verify unexpected communications through trusted channels, participate in regular security awareness training, and follow strong access control practices.
If you have any questions about the policies or procedures discussed in this newsletter, contact the CSOLVE team.
www.csolve.ca
salesdesk@csolve.ca
1.877.567.6593
Community Event
Our friends at Blue Door are hosting their annual Coldest Night of the Year fundraiser on February 28th in Richmond Hill. The event is a family-friendly walk to raise money for local charities serving people experiencing hurt, hunger, and homelessness.
Learn more and register here:
Coldest Night of the Year – Richmond Hill – Blue Door